We have no reason to believe any of our servers were targeted or exploited by this security flaw, but given the nature of the flaw it's impossible to know if this bug was being exploited before it was announced.

Because of this, we are recommending that all FastMail users logout of all existing sessions and change their account passwords.

Again, there's no evidence our servers or your password have been compromised, but we're recommending this as a precautionary measure.

If you hate remembering passwords, we recommend you use a password manager program to remember them for you. Most modern browsers (e.g. Firefox, Chrome, etc) have a password manager built in and will offer to remember your passwords for you. LastPass and 1Password are also popular choices.

When you choose a new password, it's important that you do not use the same password elsewhere and choose a password with reasonable complexity.

Your email is often the key to your online world. Many sites let you reset your password by sending a reset code to your email address. When you reuse your FastMail password at other sites, you're making it much easier for attackers to potentially break in to your email account. Other sites often don't have the same high security measures as FastMail (such as compulsory HTTPS, locked-down servers, etc.), which makes them much easier for criminals to break in to. If they hold your email address and the same password that you use for FastMail, the attacker can then access your email account and get into everything else you use online.

If you're using alternative logins already, we recommend you delete and re-add them with any base password changed.

To change your password and log out of all existing sessions, you can use these steps.

Change password in current interface

Log in to your FastMail account using the web interface

From the menu at the top left, select 'Password & Security'

Enter your existing password where directed

Enter your new password where directed. Re-enter again to make sure
we got it right

In the 'Logged in Sessions' section, click 'Log out' next to each
existing session

Click 'Done' to dismiss the panel

From the menu at the top left, select 'Log out'

Now log in to your account again with your new password. This is
often useful as a password manager will now prompt you to remember
your password at this point.

Change password in 'classic' interface

Log in to your FastMail account using the web interface

Select the 'Account' item at the top right

Select the 'Password/Security Settings' item

Enter your new password where directed. Re-enter again to make sure
we got it right

Enter your existing password where directed

Click 'Update Password'

Click 'Logged In Sessions' in the sidebar on the left

Click 'Delete' next to each existing session

Click 'Log out' at the top right

Now log in to your account again with your new password. This is
often useful as a password manager will now prompt you to remember
your password at this point.

Again, this is a highly precautionary measure. FastMail is extremely concerned about security and has always tried to be highly pro-active with keeping our customer's accounts and data as secure as possible.